- ✅ All processing happens locally on your computer
- ✅ No email content is ever sent to external servers
- ✅ Your data stays on your device
- ✅ You can delete all data at any time
What data we access
When you connect your Gmail account, Email Slayer requests access to:
| Data type | What we access | Why |
|---|---|---|
| Message headers | From, Subject, Date, To, List-Unsubscribe, List-Unsubscribe-Post | To analyze who sends you the most email and detect unsubscribe links |
| Message metadata | Size and labels per message | To show storage usage and group messages |
| Message counts | Total messages and threads | To show inbox statistics |
| Labels | Label names and counts | To understand inbox organization |
| Existing Gmail filters | List of your filters | To detect which senders are already blocked |
| Your email address | Gmail address | To identify your account |
| Your name | Display name | To personalize the app |
What we do NOT access
- Email body content (the actual message text)
- Attachments
- Draft emails
- Sent email content
- Contact list
- Calendar
- Your Gmail password
Email deletion feature
When you use the "Delete emails from sender" feature:
- Emails are moved to your Gmail Trash (not permanently deleted)
- Gmail keeps trashed emails for 30 days before automatic permanent deletion
- You can restore trashed emails from Gmail if needed
- We keep a local audit log of what was deleted for your reference
Where data is stored
All data is stored locally on your device only.
| Platform | Data location |
|---|---|
| macOS | ~/Library/Application Support/Email Slayer/ |
| Windows | %APPDATA%\Email Slayer\ |
| Linux | ~/.config/Email Slayer/ |
What's stored locally
| File | Contents |
|---|---|
emailslayer.db | SQLite database with scan results (message metadata, sender aggregates) |
settings.json | Your app preferences |
| Keychain / Credential Store | OAuth tokens (encrypted by your OS) |
Data transmission
No email data. Email Slayer does not transmit any of your email content, headers, metadata, counts, or any other mailbox information to any external server.
The app only connects to:
| Service | Purpose |
|---|---|
accounts.google.com | OAuth authentication |
gmail.googleapis.com | Fetch email metadata (directly from Google) |
downloads.emailslayer.com | Check for app updates (fetches version.json only — no user data sent) |
All connections use HTTPS encryption.
Licence verification
When you activate a licence, Email Slayer sends your licence key and the Gmail address you're activating it for to our licence server — nothing else.
Permissions rationale
Email Slayer requests the minimum Google OAuth scopes needed:
gmail.modify
What it allows: Read email metadata (headers, labels) and move emails to trash.
Why we need this: To enable the "Delete emails from sender" feature, which moves unwanted emails to your Gmail Trash.
What we actually use:
messages.list— Get message IDsmessages.getwithformat: 'metadata'— Read a limited set of headers only:From,Subject,Date,To,List-Unsubscribe, andList-Unsubscribe-Post. The email body is never downloaded.messages.trash— Move emails to trash (when you request deletion)labels.list— List your labels
gmail.settings.basic
What it allows: Read and create Gmail filters.
Why we need this: To detect existing filters (blocked senders) and create new ones when you block a sender.
userinfo.email and userinfo.profile
What it allows: Access to your email address and display name.
Why we need it: To show which account is connected and personalize the dashboard.
Data security
OAuth token storage
Your Google OAuth tokens are stored securely using your operating system's credential storage:
| Platform | Storage method |
|---|---|
| macOS | Keychain (encrypted) |
| Windows | Data Protection API (DPAPI) |
| Linux | Secret Service / libsecret (if available) |
If secure storage isn't available, tokens are encrypted with AES-256 before saving to disk.
Local database
The SQLite database is stored in your user data folder with standard file system permissions. It contains only metadata — never email content.
How to delete your data
Option 1: Log out
- Open Email Slayer
- Click Log out at the bottom of the sidebar
- This removes your OAuth tokens. Your scan history stays on disk.
Option 2: Delete individual scan sessions
- Go to History
- Delete any individual scan session you no longer want
Option 3: Full reset
- Go to Settings → Data management
- Click Reset everything
- This deletes all scan data, signs you out, restores default settings, and restarts the app.
Option 4: Complete removal
- Uninstall Email Slayer
- Delete the data folder (see locations above)
Option 5: Revoke Google access
- Go to Google Account Security
- Find "Email Slayer" in the list
- Click Remove Access
This immediately invalidates all tokens and prevents further access.
Third-party services
Inside the desktop app
| Service | Purpose | Data shared |
|---|---|---|
| Google Gmail API | Fetch email metadata | OAuth token (for authentication) |
| Email Slayer update server | App updates | None (fetches a public version.json file only) |
The desktop app contains no analytics, advertising, or tracking services. It does not phone home, it does not report usage, it does not send error reports automatically. Nothing about how you use the app is ever transmitted anywhere.
On this marketing website
The emailslayer.com marketing website (the site you are
reading right now) uses Simple Analytics
to measure aggregate traffic. Simple Analytics is a privacy-respecting,
EU-hosted analytics service chosen specifically because it does not
compromise visitor privacy:
- No cookies. Simple Analytics does not set any cookies in your browser.
- No personal data. IP addresses are discarded after the visit is recorded; nothing identifying is ever stored.
- No cross-site tracking. Simple Analytics cannot follow you to or from other websites.
- GDPR, CCPA and PECR compliant — which is why we do not need a cookie banner.
- EU-hosted in the Netherlands. No data leaves the EU.
What we actually collect: aggregate page views, referrer (how you arrived), approximate country, browser and device type, and clicks on our download and purchase buttons. Nothing that can identify you as an individual, and nothing is ever sold, shared, or cross-referenced with any other dataset.
See Simple Analytics' own data policy for the full technical breakdown. Important: this applies only to the marketing website. The desktop app you install on your computer never talks to Simple Analytics or any other analytics service.
Children's privacy
Email Slayer is built for adults managing their own Gmail inbox, but the privacy guarantees in this policy apply equally to every visitor regardless of age. No personal data is collected from anyone — children included — on this website or inside the desktop app.
Changes to this policy
We may update this policy occasionally. Changes will be noted with an updated "Last Updated" date. Significant changes will be announced in app update notes.
Contact
For privacy questions or concerns:
- Email: support@emailslayer.com